As organizations increasingly embrace information technologies in their daily operations, cyber security has become an important topic for both practitioners and academic researchers. This is exemplified by the recent high-profile attacks against the Hong Kong Cyberport and Consumer Council, where sensitive data got exfiltrated and leaked by cyber criminals. A curious but serious question to ask is: how do attackers penetrate into the systems of different organizations in the first place?

A recent research project, led by Prof. Chau Sze Yiu from the Department of Information Engineering, might shed some light on this. In their recent study [1], Prof. Chau’s team found that many VPN setups around the globe are actually insecure. The discovered vulnerabilities allow a network attacker, such as a rogue hotel or café Wi-Fi operator, to easily and stealthily obtain the passwords of users when they attempt to connect to their organizational VPNs. Additionally, some vulnerabilities even enable hackers to take over control of the user's device, which can cause additional damages.

To improve mobility and make remote work easier, many companies and organizations provide VPN services to their employees. By connecting to such VPNs, employees can join their company network even when they are traveling outside. This allows them to access internal networks services and other resources that are normally not open to the external network. Likewise, many educational institutes require their students and staff to connect to the school VPN in order to access library subscriptions and other internal services. The use of such VPNs has skyrocketed during the COVID days, as citizens of many countries have to work/study from home in a remote manner.

Similar to other network services, organizational VPNs typically require user logins and perform password-based user authentication. That is, users prove their identities to the service end-point by presenting their passwords. In some setups, a second factor authentication (2FA) might be used in addition to passwords. A common 2FA in this context could be sending a push notification to the user to seek extra approval. Alternatively, the user might open up a smartphone app to get a passcode, and type in this passcode together with the password and send both to the service end-point in one go, thus achieving 2FA.

While much attention was put on strengthening user authentication, interestingly, the server authentication of many VPN setups are not as robust. In this context, server authentication, which confirms the identity of the service end-point, is a critical step in protecting the VPN user from impersonation attacks. In general, methods of server authentication follow one of 3 strategies: (i) blind trust without using any keys, (ii) establish trust using one symmetric secret key, or (iii) establish trust with a pair of asymmetric keys. Strategy (i) is inherently insecure and should be avoided, whereas the security of strategy (ii) depends upon the secrecy of the symmetric key.

To better understand the security of the global VPN ecosystem, the research team collected and analyzed about 2000 VPN user manuals from universities worldwide, and found security issues in several hundreds of them. In particular, 44 school VPNs are found to be adopting strategy (i) and are thus vulnerable. Furthermore, 149 school VPNs follow strategy (ii), yet 118 of which, including the old CUHK VPN, directly expose the secret key in their user manuals, thus opening doors to attacks.

From the analysis of user manuals, the researchers also curated a list of popular VPN products that follow server authentication strategy (iii). Specifically, the research team identified and tested 132 front-end apps of those VPN products. Users are generally expected to use such front-end apps to connect to their school VPN services. Surprisingly, 63 of the 132 front-end apps were found to contain previously unknown vulnerabilities, effectively rendering their strategy (iii) as insecure as strategy (i). Additionally, the front-end applications of some VPN products allow a network attacker to execute arbitrary malicious code with a high privilege on the user's device, causing the entire system to be compromised.

Knowing the aforementioned weaknesses in server authentication, an attacker can craft and deploy a VPN impersonator, and the users will have no ways of telling whether the end-point is genuine or fraudulent, and thus hand over their passwords or even the control of their devices as they use their organizational VPNs. Notice that under this attack, even 2FA would not be able to protect the users. With the passcode 2FA, since both the passcode and password are sent via the same channel, the VPN impersonator will receive both, and thus the attacker can immediately log in to other organizational services as the user. With the push notification 2FA, since the user intended to connect, if the attacker immediately uses the stolen password to log in to the genuine VPN service, the user is highly likely to grant an approval. In other words, when a user attempts to connect to VPN while working remotely at a hotel or café, a rogue Wi-Fi operator can easily and stealthily compromise the user's credential or system, which can cause serious damages to the user as well as the user's organization.

Given the severity of these findings, the research team diligently informed stakeholders around the globe and made various safety recommendations. After receiving our alerts, a number of local and foreign institutes, including CUHK, have revamped their VPN systems and user manuals, and expressed their gratitude to the research team. Multiple affected vendors have also fixed the related defects in their VPN products, and released several bug bounties to the team.


References